Databases
StackOverflow2013
Postsdbo
POldap_set_option() is not setting the option "LDAP_OPT_SSL"
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POldap_set_option() is not setting the option "LDAP_OPT_SSL"
    text
    copied!<p>I have a windows application that is trying to connect to ldap server running on secured port 10636. </p> <p>Here's the source:</p> <pre><code>#include "windows.h" #include "ntldap.h" #include "winldap.h" #include "schnlsp.h" #include "stdio.h" #include "tchar.h" const size_t newsize = 100; // Entry point for your application int main(int argc, char* argv[]) { LDAP* pLdapConnection = NULL; INT returnCode = 0; INT connectSuccess = 0; ULONG version = LDAP_VERSION3; SecPkgContext_ConnectionInfo sslInfo; LONG lv = 0; // Initialize an LDAP session using SSL. pLdapConnection = ldap_sslinit("localhost",10636,1); if (pLdapConnection == NULL) { printf( "ldap_sslinit failed.\n"); return -1; } // Specify version 3; the default is version 2. printf("Setting Protocol version to 3.\n"); returnCode = ldap_set_option(pLdapConnection, LDAP_OPT_PROTOCOL_VERSION, (void*)&amp;version); if (returnCode != LDAP_SUCCESS) goto FatalExit; // Verify that SSL is enabled on the connection. printf("Checking if SSL is enabled\n"); returnCode = ldap_get_option(pLdapConnection,LDAP_OPT_SSL,(void*)&amp;lv); if (returnCode != LDAP_SUCCESS) goto FatalExit; // If SSL is not enabled, enable it. if ((void*)lv == LDAP_OPT_ON) printf("SSL is enabled\n"); else { printf("SSL not enabled.\n SSL being enabled...\n"); returnCode = ldap_set_option(pLdapConnection,LDAP_OPT_SSL,LDAP_OPT_ON); if (returnCode != LDAP_SUCCESS) goto FatalExit; } // Connect to the server. connectSuccess = ldap_connect(pLdapConnection, NULL); if(connectSuccess == LDAP_SUCCESS) printf("ldap_connect succeeded \n"); else { printf("ldap_connect failed with 0x%x.\n",connectSuccess); goto FatalExit; } // Bind with current credentials. printf("Binding ...\n"); returnCode = ldap_bind_s(pLdapConnection,NULL,NULL,LDAP_AUTH_NEGOTIATE); if (returnCode != LDAP_SUCCESS) goto FatalExit; // Retrieve the SSL cipher strength. printf("Getting SSL info\n"); returnCode = ldap_get_option(pLdapConnection,LDAP_OPT_SSL_INFO,&amp;sslInfo); if (returnCode != LDAP_SUCCESS) goto FatalExit; printf("SSL cipher strength = %d bits\n",sslInfo.dwCipherStrength); goto NormalExit; // Perform cleanup. NormalExit: if (pLdapConnection != NULL) ldap_unbind_s(pLdapConnection); return 0; // Perform cleanup after an error. FatalExit: if( pLdapConnection != NULL ) ldap_unbind_s(pLdapConnection); printf( "\n\nERROR: 0x%x\n", returnCode); return returnCode; } </code></pre> <p>After setting the <code>ldap_set_option(pLdapConnection,LDAP_OPT_SSL,LDAP_OPT_ON);</code>, the application is still not able to set the option. Hence, the connection fails with return code <code>LDAP_SERVER_DOWN</code>. </p> <p>Can someone point why it is not able to set the option? The server does support <code>ldaps://</code> connections. </p> <p><strong>UPDATE:</strong> When I did ldapsearch on the ldap server </p> <pre><code>ldapsearch -x -H ldaps://localhost -p 10636 -d 1 </code></pre> <p>I got the error:</p> <pre><code>ldap_url_parse_ext(ldaps://localhost:10636) ldap_create ldap_url_parse_ext(ldaps://localhost:10636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:10636 ldap_new_socket: 472 ldap_prepare_socket: 472 ldap_connect_to_host: Trying ::1 10636 ldap_pvt_connect: fd: 472 tm: -1 async: 0 attempting to connect: connect errno: 10061 ldap_close_socket: 472 ldap_new_socket: 472 ldap_prepare_socket: 472 ldap_connect_to_host: Trying 127.0.0.1:10636 ldap_pvt_connect: fd: 472 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /C=US/O=ASF/OU=ApacheD S/CN=zanzibar, issuer: /C=US/O=ASF/OU=ApacheDS/CN=zanzibar TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cert ificate verify failed (self signed certificate). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) </code></pre> <p>However, after adding "TLS_REQCERT never" to ldap.conf everything started working. </p> <p>Now, <strong>How to make my sample program skip "TLS certificate verification"?</strong></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload